[apparmor] [patch] honor 'chown' file events in logparser.py

Christian Boltz apparmor at cboltz.de
Sun Jun 5 13:47:24 UTC 2016 

Hello,

$subject.

Also add a testcase to libapparmor's log collection


I propose this patch for trunk, 2.10 and 2.9


[ 01-logparser-chown.diff ]

--- utils/apparmor/logparser.py 2016-06-01 22:36:33.948597566 +0200
+++ utils/apparmor/logparser.py 2016-06-05 15:39:16.365476108 +0200
@@ -296,7 +296,7 @@
                 self.debug_logger.debug('parse_event_for_tree: dropped exec event in %s' % e['profile'])
 
         elif ( e['operation'].startswith('file_') or e['operation'].startswith('inode_') or
-            e['operation'] in ['open', 'truncate', 'mkdir', 'mknod', 'chmod', 'rename_src',
+            e['operation'] in ['open', 'truncate', 'mkdir', 'mknod', 'chmod', 'chown', 'rename_src',
                                 'rename_dest', 'unlink', 'rmdir', 'symlink_create', 'link',
                                 'sysctl', 'getattr', 'setattr', 'xattr'] ):
 
=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.err'
=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.in'
--- libraries/libapparmor/testsuite/test_multi/file_chown.in    1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/file_chown.in    2016-06-05 13:41:02 +0000
@@ -0,0 +1,1 @@
+type=AVC msg=audit(1465133533.431:728): apparmor="DENIED" operation="chown" profile="/usr/sbin/cupsd" name="/run/cups/certs/" pid=8515 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=0 ouid=4

=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.out'
--- libraries/libapparmor/testsuite/test_multi/file_chown.out   1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/file_chown.out   2016-06-05 13:41:11 +0000
@@ -0,0 +1,15 @@
+START
+File: file_chown.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1465133533.431:728
+Operation: chown
+Mask: w
+Denied Mask: w
+fsuid: 0
+ouid: 4
+Profile: /usr/sbin/cupsd
+Name: /run/cups/certs/
+Command: cupsd
+PID: 8515
+Epoch: 1465133533
+Audit subid: 728



Regards,

Christian Boltz
-- 
> The wiki is as much yours as it is ours, and if you think that
> someone deserves recognition by naming them, you don't need
> anybody's permission.
Then I must put my thanks to Bill Gates somewhere. he made me use
Linux.  :-)          [> Peter Flodin and houghi in opensuse-wiki]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160605/a945ea8d/attachment.pgp>

More information about the AppArmor mailing list